You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

On my customer's computer, I keep getting processes showing up in task manager that are called browser.exe *32 (identified as Google Chrome) even though Chrome is not installed on the PC. I traced the processes to the User/AppData/LocalLow/ and the folders they are coming from are called NarratorHagg and VolunteerJawa. I have deleted them in safe mode but they keep regenerating.

I ran the FRST scan and I will post my scan log below. Any help is appreciated!

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

SUCCESS: The process with PID 932 (child process of PID 2820) has been terminated.
SUCCESS: The process with PID 928 (child process of PID 1632) has been terminated.
SUCCESS: The process with PID 2820 (child process of PID 2448) has been terminated.
SUCCESS: The process with PID 1632 (child process of PID 2464) has been terminated.
SUCCESS: The process with PID 2464 (child process of PID 2848) has been terminated.
SUCCESS: The process with PID 2448 (child process of PID 2848) has been terminated.

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

Error: (08/26/2014 03:09:54 PM) (Source: VSS) (EventID: 18) (User: )
Description: Volume Shadow Copy Service error: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode. [0x8007043c, This service cannot be started in Safe Mode
]

System errors:
=============
Error: (08/28/2014 08:57:31 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The vnccom service failed to start due to the following error:
%%2

Error: (08/28/2014 08:45:44 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The vnccom service failed to start due to the following error:
%%2

Error: (08/26/2014 03:53:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The vnccom service failed to start due to the following error:
%%2

Error: (08/26/2014 03:17:13 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The vnccom service failed to start due to the following error:
%%2

Error: (08/26/2014 03:15:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (08/26/2014 03:15:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (08/26/2014 03:15:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (08/26/2014 03:15:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (08/26/2014 03:15:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (08/26/2014 03:15:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

CodeIntegrity Errors:
===================================
Date: 2014-08-26 15:15:02.318
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-08-26 15:15:02.287
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.